• 
  
• Adobe Reader 8.1 and earlier
  
• Adobe Acrobat Professional, 3D, and Standard 8.1 and earlier
  
• Adobe Reader 7.0.9 and earlier
  
• Adobe Acrobat Professional, 3D, Standard, and Elements 7.0.9 and earlier
  

• 
  
  
• Adobe Reader version 8.1.2 and earlier
  
• Adobe Acrobat (Professional, 3D, and Standard) version 8.1.2 and earlier
  
  Overview: By convincing a user to download a malicious PDF file, an attacker could execute code or cause a computer to crash. The malicious file could be downloaded by just visiting a malicious website that contains the file.
  
  Solution
  1. Upgrade: Adobe recommends that users with version 8 of Adobe Reader or Acrobat upgrade to version 8.1.3. Links to these versions are available in the security bulletin at:
  http://www.adobe.com/support/security/bulletins/apsb08-19.html
  
  2. Disable JavaScript in Adobe Reader and Acrobat: Disabling JavaScript in Adobe Reader and Acrobat may prevent this vulnerability from being exploited. In Acrobat Reader, JavaScript can be disabled in the General preferences dialog:
  • 
    
  • Open the Edit menu
    
  • Choose the Preferences option
    
  • Choose the JavaScript option
    
  • De-select "Enable Acrobat JavaScript"

Quote:

 

Of the targeted attacks on managers, politicians and other high-ranking individuals registered this year, almost 50 per cent have exploited six security vulnerabilities in Adobe's PDF products.

Quote:

 

The attacks involve criminals sending prepared documents to their victims in order to infect and spy on their PCs.

Quote:

 

According to Hypponen, users often fail to update their applications and are not aware that important security updates have been released. Automatic update requests were also often ignored. In Hypponen's opinion, Adobe should establish a regular update cycle for its products in the same way as Microsoft.

Quote:

 

Annotation tool: Have you ever wished to annotate (or comment on) a PDF document when you are reading it? Foxit Reader allows you to draw graphics, highlight text, type text and make notes on a PDF document and then print out or save the annotated document.
Text converter: You may convert the whole PDF document into a simple text file.

Quote:

 

April 29, 2009 (Computerworld) Adobe Systems Inc. late yesterday acknowledged that all versions of its popular PDF software, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities.

"All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue," said David Lenoe, the company's security program manager, in a blog entry yesterday.

Quote:

 

In lieu of a patch, Lenoe recommended that users disable JavaScript in Reader and Acrobat by selecting Preferences from the Edit menu, choosing "JavaScript," then unchecking the "Enable Acrobat JavaScript" option. (On the Mac, Preferences is under the "Adobe Reader" or "Adobe Acrobat" menus.)

Quote:

 

If Adobe's patching pace for the newest bugs matches that of the February incident, it should have a fix available during the week of May 18.

Andrew Storms, director of security operations at nCircle Network Security Inc., who yesterday blasted Adobe for its long-running "rash" of JavaScript vulnerabilities, today applauded the company for reacting faster -- even as he again criticized its buggy software.

"Getting mitigations and work-around information out in front of the people in the security trenches is key," Storms said in an instant message. "Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs."

Some security experts have urged users to switch PDF viewers. Finnish security company F-Secure Corp. repeated that recommendation today. "We've said it before, but it's worth repeating -- use an alternative to Adobe Acrobat Reader," said Patrik Runald, a security response manager at F-Secure, in a notice on the company's site. "[And] if you can't change from Adobe Reader, we strongly recommend that you disable its ability to run JavaScript."

Quote:

 

Hackers can exploit a flaw in Adobe's Flash to compromise nearly every Web site that allows users to upload content, including Google's Gmail, then launch silent attacks on visitors to those sites, security researchers said today.

Adobe did not dispute the researchers' claims, but said that Web designers and administrators have a responsibility to craft their applications and sites to prevent such attacks.

"The magnitude of this is huge," said Mike Murray, the chief information security officer at Orlando, Fla.-based Foreground Security. "Any site that allows user-uploadable content is vulnerable, and most are not configured to prevent this."

Quote:

 

The only current defense users can employ against such attacks is to stop using Flash, or failing that, restrict its use to sites known to be safe with tools such as the NoScript add-on for Mozilla's Firefox, or ToggleFlash for Microsoft's Internet Explorer.

"The best mitigation is to not use Flash," argued Murray, "but we know that that's impossible for most users, since Flash is so widely used on the Web."

"Almost everyone using the Internet is vulnerable to a Web site that allows content to be updated inappropriately," said Murray. "That's not hyperbole, it's just fact. This has the potential to affect any social media site, any career site, any dating site, many retail sites and many cloud applications. That's why this attack is so serious. End users would never know they got exploited."